SAVOIR Industrial Consultation · 2015-10-27 · ESA UNCLASSIFIED – For Official Use...

ESA UNCLASSIFIED – For Official Use

Jean-Loup TERRAILLON TEC-S

Giorgio MAGISTRATI TEC-EDD

SAVOIR Industrial Consultation


Terraillon/Magistrati| SAVOIR Industrial Consultation| ADCSS2015| 20/10/2015| Pag. 2

Specification production scheme.

Under SAG agreement;

1. A draft version is produced;

By a SAG working group

Output of an R&D activity

Proposed by Industry

ESA internal

2. Submitted for restricted review and updated as

needed

Check compliance to SAVOIR

architecture and principle

Completeness / consistency / etc

3. Submitted for public review and updated (same

objective as 2)

4. Verified by prototyping – to demonstrate maturity

of the spec., consistency with the ref architecture

(as far as possible on a case by case basis)

5. Publication

Functional / interface spec.

Public review

Proto-typing

Restricted review

publication



Consultation process, tool and O.N.

The use of the Prisma Rid tool allows to give full visibility to the reviewers.



Consultation focal points, Objectives

Focal Points reviewers selected in industry

with support of EuroSpace

Objectives of the consultation:

Verify reusability

Verify domain of reuse

Verify completeness

Verify industrial aspects (w.r.t.

product lines)

Verify dissemination aspects



Schedule

November 2014: First contacts with Eurospace

List of companies, list of focal points, consolidation of the

Organisation Note, preparation of the Rid tool

9 March 2015: kick-off of the review

17 April 2015: Rid cut-off date

Rid disposition process,

documents update

October 2015: ADCSS

Industrial consultation nearly completed!



SAVOIR Documentation Review

Three docs are in public review:

SAVOIR-TN-001- SAVOIR Functional

Reference Architecture

SAVOIR-GS-001- SAVOIR generic OBC specification

SAVOIR-GS-002- SAVOIR Flight Computer Initialisation

Sequence Generic Specification

The Review has been quite a success…

510 RIDs (159 major) have been generated…

Large participation ( 20 companies, ADS, TAS, OHB, CNES …)

SAVOIR-TN-001- 181 RIDs ( 34 Major)

SAVOIR-GS-001- 242 RIDs (88 Major)

SAVOIR-GS-002- 87 RIDs (37 Major)

Very constructive comments



Status of Rids and Actions

ESA has replied to a large number of Rids “autonomously”

Some Rids have been discussed at SAG level in June and September meetings

All Rids have been replied by ESA.

Authors have been notified to look at the replies and to complain if they

disagree.

Some authors have commented on the ESA reply. We have hold

teleconference or e-mail exchanges to sort out the issues and come to an

agreement.

All Rids are now considered agreed by the reviewers.

272 Rids are Accepted with Actions, 309 actions of document modifications are defined

238 Rids are Closed with the clarification or in favour of another Rid carrying the action.

Documents are (nearly) all updated

with change bars and trace to the Rid number

When finished (November), they will go for a short SAG review for final

endorsement (mimicking the role of TA in ECSS)

Then they will be published on ESSR



https://essr.esa.int/





https://essr.esa.int/ + login





https://essr.esa.int/ + login + More links



J.L. Terraillon

With support of Felice Torelli

Flight Computer Initialisation Sequence Generic

Specification (Boot software)

Review report



Statistics

87 Rids, 37 Majors, 50 minor

56 Rids proposed to be closed

by explanations and clarification,

without modification of the document.

31 Rids are proposed to be closed

with a modification of the document

All is documented in the Rid tool

There is a draft version of the document

with the proposed changes iss1 rev3b.



Major points

1- the applicability of the document.

OBC, PLM but which ones, and the others?

And which kind of architecture? (not redundant, and what about

multicore, and what about non-Leon...)

The decision is that it is applicable to any flight processor, but with

possibility to tailor in case of specific context.

An annex “How to use” is added to the spec (in the spirit of "generic"

spec), which are the elements that the specifier must tune or add in

order to produce the real document:

A bit like OBC spec did

“Hardware Assumptions”

Parameters



How to use…



Major points

2- Some emotion about PROM and EEPROM

instead of Non Volatile Memory.

Technology name (Prom, EEPROM, etc)

replaced by generic names:

[Non-]Volatile Read[-Write/-Only].

3- Lot of misunderstanding about the Watchdog, where is it , how it

works, who does what, etc.

The related text has been rephrased.

4- Some picky things in the

Initialisation sequence

sparc/non-sparc technology.



Major points

5- No full understanding of the mode management,

in particular around the StandBy mode:

when does it starts, how is it triggered,

does it include self tests or not,

how do you get out of it, what does it access...

This is due to the variability that is left

for the various implementations.

Some clarification inserted.

6- Severe inconsistency with the OBC spec, which had a complete

chapter on Boot SW and said sometimes different things with different

names.

Leave in the OBC spec the BootSW requirements impacting hardware

Concentrate the pure software requirements in the BootSW spec

several requirements added or modified.


Giorgio Magistrati

ASRA (TN-001)

Review report



Statistics

181 RIDs, 34 Major, 147

minors.

141 Rids are proposed

to be closed with a

modification of the

document

All is documented in the Rid tool

There is a draft version of the

document with the proposed

changes - iss1 rev3c



Major Rids

Functional and Physical view: More than one RID was saying that

functional and physical views were mixed. The documents has been

reviewed highlighting what is functional and what is physical, and

identifying in the text the parts that are functional and the parts that

are physical.

a pragmatic approach has been followed , we cannot present

the functional view in a way completely decoupled from a

physical view.

Physical views showing functions grouped in a OBC and a

RTU are presented as examples

Trends in Avionics have been included in the doc:

Decentralized vs centralized architecture,

Intelligent RTUs,

CANBus and digital sensor buses.

…



Major Rids

Redundancy Philosophy: cold/warm/hot redundancy are better

presented and described. More complex redundancy schemes have

been mentioned.

Sections on Command & Control Data Link function and Mission

Data link function have been partly reworded. Options and trade-

off on Point-to-point and Multipoint buses have been included.

Section on On Board Time function has been updated: the elements

of the OBT function (including sources: clocks, GNSS receivers) ,

redundancy scheme , number of outputs (now a parameter) have

been revised.

AOCS Sensors and Actuators : lists of sensor and actuators have

been updated and their use on different missions revised.

SECURITY The clear mode is considered an unacceptable security

risk in case of a malicious attack. It is stated that the decision to use

it must be the result of a security vs dependability trade-off.



Major/minor Rids

MAP IDs for TC are suggested for future implementations.(This is

done in order to unify the setting of future OBCs, in an similar way a

TM VCs allocation is proposed)

List of ADs and RDs revised (CCSDS and ECSS docs).

Glossary updated.

ECSS secretariat comments have been implemented.


G. Magistrati

OBC Specification (GS-001)

Review report



Statistics

242 Rids, 88 Majors, 154 minors, 23 minors converted in editorial.

109 actions: 98% have been implemented updating the spec, others:

#1 Change request to one ECSS doc (to be done),

(Principle of ) Tailoring proposed to be done in a separate

doc,

New functions as CFDP support in next edition.

87 Rids from SAG members (Primes) – the impression is that the

GS-001 has been extensively reviewed by primes – that is positive !

Several Mtgs/TLCs with few SAG members.



Major Rids

Role of Essential TM: The Essential TM function manages the

acquisition of essential telemetry and the download of the acquired

parameter through a dedicated virtual channel w/o SW intervention.

Pure HW implementation. Inside or outside the OBC.

As per SAG decision the ETM is optional.

The Essential Telemetry function acquires:

the ON/OFF status corresponding to the most vital HPC

commands

critical status linked to the TC reception chain (The CPDU

status report elaborated by the Command Pulse Distribution

Unit, Authentication status,…)

Other critical parameters: Power bus voltage status, Charge

level of the battery status, Deployment Mechanisms status, …

Better coherency between GS.001 and GS.002: Boot Sw

reqs moved to GS-002



Major Rids

Tailoring of OBC reqs for other missions different from the

ones considered by SAVOIR: it is proposed that (the principle of)

tailoring to cover the specificities of small satellite projects and small

sat OBC suppliers shall be put in the OBC handbook.

CAN/CANOpen added as low-medium speed bus for Command and

Control Bus and Mission Data Links.

Requirements will be available as DOORS Modules.

PM Benchmarks: the recommended benchmarks are Dhrystone and

Whetstone. These benchmarks might be susceptible to compiler

optimizations, therefore compiler options to be specified/detailed in

the report – Coremark is additionally proposed.

Security : strong revision of the sections dedicated to Security, the

Security clause now refers directly to the CCSDS Space Data Link

Security Protocol (CCSDS 355.0-B-1 Blue Book) and CCSDS

Cryptographic algorithms (CCSDS 352.0-B-1 Blue Book)



Major/minor Rids

More parameters have been added for a more “generic” Spec

(possible tailoring is also simplified).

Glossary added.

ECSS secretariat comments have been implemented.

Basically all the OBC functions have been upgraded improving the

text or the rationale ( Also the title has changed : SAVOIR generic

OBC functional specification !).



New SAVOIR Avionics Functional Diagram

Telecommand

Platform

Telemetry

Time

reference

Security

Reconfiguration

Processing

On-Board

Time

Platform

Data Storage

Safe-Guard

MemoryEssential

TC

Cmd & Ctrl

Links

Mission

Data LinksTC

CLTUs

Authentication/

Decryption

Encryption

TM

CADUs

Context data,

Boot report

CLCW

CPDU commands

CPDU

commands

Essential

TM

TM

packets

X

Enable/Disable

Alarms

Discrete

signals

System

alarms

Time

and

time

tick

Trig

TM

packets

TM packets

TC

Segments

Platform

sensors and

actuators

Platform

commandingPayload

commanding

Data

Concentrator

Sensor and

actuator I/F

Sensor and

actuator I/F

Synchronisation

Payload

Data

Storage

Instruments incl.

ICUs,

Payload I/F Unit

Payload

Data Routing

X

Platform Payload

TC Segments

TM packets,

files

Time tick

Time

TM

frame

sync

Payload

synchronisation

Payload control

Inter

-PM

Platform

synchronisation

Hot redundant operation

Cold redundant operation

Warm or cold redundant operation

Payload

Telemetry TM

CADUs

Security

Encryption

Payload direct monitoring

PIO

PIO

Time & Tick

RM log

TC Segments

TC

Segments

Status

Warm redundant operation



Questions ?

SAVOIR Industrial Consultation · 2015-10-27 · ESA UNCLASSIFIED – For Official Use...

Documents

Transcript of SAVOIR Industrial Consultation · 2015-10-27 · ESA UNCLASSIFIED – For Official Use...